Merge remote-tracking branch 'commerce/release' into ph-delivery

magento · Jan 7, 2022 · 7b664bf · 7b664bf
2 parents 483023c + 8a65e78
commit 7b664bf
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/AdobeStockImage/Model/SaveImage.php b/AdobeStockImage/Model/SaveImage.php
@@ -72,6 +72,9 @@ public function __construct(
     public function execute(Document $document, string $url, string $destinationPath): void
     {
         try {
+            if (!preg_match('/^[a-zA-Z0-9\.\-\_\/\s]+$/i', $destinationPath)) {
+                throw new LocalizedException(__('Image File has invalid characters.'));
+            }
             $this->saveFile->execute($document, $url, $destinationPath);
             $mediaAssetId = $this->saveMediaGalleryAsset->execute($document, $destinationPath);
 

diff --git a/AdobeStockImage/Test/Unit/Model/SaveImageTest.php b/AdobeStockImage/Test/Unit/Model/SaveImageTest.php
@@ -120,4 +120,43 @@ public function imageDataProvider(): array
             ]
         ];
     }
+
+    /**
+     * @return array
+     */
+    public function getInvalidPathValues(): array
+    {
+        return [
+            [
+                $this->createMock(Document::class),
+                'https://as2.ftcdn.net/jpg/500_FemVonDcttCeKiOXFk.jpg',
+                '\\invalid chars\\'
+            ],
+            [
+                $this->createMock(Document::class),
+                'https://as2.ftcdn.net/jpg/500_FemVonDcttCeKiOXFk.jpg',
+                '{*invalid_path/\'chars}'
+            ],
+            [
+                $this->createMock(Document::class),
+                'https://as2.ftcdn.net/jpg/500_FemVonDcttCeKiOXFk.jpg',
+                '<img src=\"\" onerror=\"alert(0)\">'
+            ]
+        ];
+    }
+
+    /**
+     * Verify that path validation works if invalid characters are passed.
+     *
+     * @dataProvider getInvalidPathValues
+     * @param Document $document
+     * @param string $url
+     * @param string $destinationPath
+     * @throws LocalizedException
+     */
+    public function testExecuteInvalidPath(Document $document, string $url, string $destinationPath): void
+    {
+        $this->expectException('Magento\Framework\Exception\LocalizedException');
+        $this->saveImage->execute($document, $url, $destinationPath);
+    }
 }